[apparmor] Rev 1435: Add testcases for new LSM-audit log messages.
Kees Cook
kees at ubuntu.com
Fri Sep 10 03:03:07 BST 2010
Oh, weird, I swear I nominated that. Sorry if I dropped the ball on that,
yes, ACK. :)
On Thu, Sep 09, 2010 at 06:49:15PM -0700, Steve Beattie wrote:
> This particular commit, rev 1435 from trunk, never got nominated for
> the 2.5.1 branch, but is pretty crucial for parsing the the most recent
> version of apparmor's log messages. Thus I'm nominating it for 2.5.1.
>
> (I want to review it a little more closely myself.)
>
> On Mon, Jul 26, 2010 at 04:18:26PM -0000, noreply at launchpad.net wrote:
> > ------------------------------------------------------------
> > revno: 1435
> > committer: Kees Cook <kees.cook at canonical.com>
> > branch nick: master
> > timestamp: Mon 2010-07-26 09:16:23 -0700
> > message:
> > Add testcases for new LSM-audit log messages.
> > Update log parser grammar to handle new LSM-audit log messages.
> > added:
> > libraries/libapparmor/testsuite/test_multi/avc_audit_01.in
> > libraries/libapparmor/testsuite/test_multi/avc_audit_01.out
> > libraries/libapparmor/testsuite/test_multi/avc_audit_02.in
> > libraries/libapparmor/testsuite/test_multi/avc_audit_02.out
> > libraries/libapparmor/testsuite/test_multi/avc_audit_03.in
> > libraries/libapparmor/testsuite/test_multi/avc_audit_03.out
> > libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in
> > libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out
> > libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in
> > libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out
> > libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in
> > libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out
> > modified:
> > libraries/libapparmor/src/grammar.y
> > libraries/libapparmor/src/scanner.l
> > utils/SubDomain.pm
> >
> >
> > --
> > lp:apparmor
> > https://code.launchpad.net/~apparmor-dev/apparmor/master
> >
> > You are subscribed to branch lp:apparmor.
> > To unsubscribe from this branch go to https://code.launchpad.net/~apparmor-dev/apparmor/master/+edit-subscription
>
> > === modified file 'libraries/libapparmor/src/grammar.y'
> > --- libraries/libapparmor/src/grammar.y 2009-09-18 21:13:04 +0000
> > +++ libraries/libapparmor/src/grammar.y 2010-07-26 16:16:23 +0000
> > @@ -1,6 +1,7 @@
> > /*
> > * Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
> > * NOVELL (All rights reserved)
> > + * Copyright (c) 2010, Canonical, Ltd.
> > *
> > * This program is free software; you can redistribute it and/or
> > * modify it under the terms of version 2 of the GNU General Public
> > @@ -96,6 +97,13 @@
> > %token TOK_TYPE_HINT
> > %token TOK_TYPE_STATUS
> > %token TOK_TYPE_ERROR
> > +%token TOK_TYPE_AA_REJECT
> > +%token TOK_TYPE_AA_AUDIT
> > +%token TOK_TYPE_AA_COMPLAIN
> > +%token TOK_TYPE_AA_HINT
> > +%token TOK_TYPE_AA_STATUS
> > +%token TOK_TYPE_AA_ERROR
> > +%token TOK_TYPE_LSM_AVC
> > %token TOK_OLD_TYPE_APPARMOR
> > %token TOK_OLD_APPARMOR_REJECT
> > %token TOK_OLD_APPARMOR_PERMIT
> > @@ -123,6 +131,7 @@
> > %token TOK_OLD_FORK
> > %token TOK_OLD_CHILD
> >
> > +%token TOK_KEY_APPARMOR
> > %token TOK_KEY_TYPE
> > %token TOK_KEY_MSG
> > %token TOK_KEY_OPERATION
> > @@ -146,6 +155,7 @@
> > %token TOK_KEY_ERROR
> > %token TOK_KEY_FSUID
> > %token TOK_KEY_OUID
> > +%token TOK_KEY_COMM
> >
> > %token TOK_SYSLOG_KERNEL
> >
> > @@ -168,13 +178,14 @@
> > ;
> >
> > new_syntax:
> > - TOK_TYPE_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
> > - | TOK_TYPE_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
> > - | TOK_TYPE_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
> > - | TOK_TYPE_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
> > - | TOK_TYPE_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
> > - | TOK_TYPE_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
> > + TOK_TYPE_AA_REJECT audit_msg key_list { ret_record->event = AA_RECORD_DENIED; }
> > + | TOK_TYPE_AA_AUDIT audit_msg key_list { ret_record->event = AA_RECORD_AUDIT; }
> > + | TOK_TYPE_AA_COMPLAIN audit_msg key_list { ret_record->event = AA_RECORD_ALLOWED; }
> > + | TOK_TYPE_AA_HINT audit_msg key_list { ret_record->event = AA_RECORD_HINT; }
> > + | TOK_TYPE_AA_STATUS audit_msg key_list { ret_record->event = AA_RECORD_STATUS; }
> > + | TOK_TYPE_AA_ERROR audit_msg key_list { ret_record->event = AA_RECORD_ERROR; }
> > | TOK_TYPE_UNKNOWN audit_msg key_list { ret_record->event = lookup_aa_event($1); }
> > + | TOK_TYPE_LSM_AVC audit_msg key_list
> > ;
> >
> > other_audit: TOK_TYPE_OTHER audit_msg TOK_MSG_REST
> > @@ -420,6 +431,17 @@
> > { ret_record->fsuid = $3;}
> > | TOK_KEY_OUID TOK_EQUALS TOK_DIGITS
> > { ret_record->ouid = $3;}
> > + | TOK_KEY_COMM TOK_EQUALS TOK_QUOTED_STRING
> > + | TOK_KEY_APPARMOR TOK_EQUALS apparmor_event
> > + ;
> > +
> > +apparmor_event:
> > + TOK_TYPE_REJECT { ret_record->event = AA_RECORD_DENIED; }
> > + | TOK_TYPE_AUDIT { ret_record->event = AA_RECORD_AUDIT; }
> > + | TOK_TYPE_COMPLAIN { ret_record->event = AA_RECORD_ALLOWED; }
> > + | TOK_TYPE_HINT { ret_record->event = AA_RECORD_HINT; }
> > + | TOK_TYPE_STATUS { ret_record->event = AA_RECORD_STATUS; }
> > + | TOK_TYPE_ERROR { ret_record->event = AA_RECORD_ERROR; }
> > ;
> >
> > key_pid: TOK_KEY_PID TOK_EQUALS TOK_DIGITS { ret_record->pid = $3; }
> >
> > === modified file 'libraries/libapparmor/src/scanner.l'
> > --- libraries/libapparmor/src/scanner.l 2010-02-10 23:13:55 +0000
> > +++ libraries/libapparmor/src/scanner.l 2010-07-26 16:16:23 +0000
> > @@ -1,6 +1,7 @@
> > /*
> > * Copyright (c) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007
> > * NOVELL (All rights reserved)
> > + * Copyright (c) 2010, Canonical, Ltd.
> > *
> > * This program is free software; you can redistribute it and/or
> > * modify it under the terms of version 2 of the GNU General Public
> > @@ -84,12 +85,19 @@
> > modes ({mode_chars}+)|({mode_chars}+::{mode_chars}*)|(::{mode_chars}*)
> > /* New message types */
> >
> > -reject_type "APPARMOR_DENIED"
> > -audit_type "APPARMOR_AUDIT"
> > -complain_type "APPARMOR_ALLOWED"
> > -hint_type "APPARMOR_HINT"
> > -status_type "APPARMOR_STATUS"
> > -error_type "APPARMOR_ERROR"
> > +aa_reject_type "APPARMOR_DENIED"
> > +aa_audit_type "APPARMOR_AUDIT"
> > +aa_complain_type "APPARMOR_ALLOWED"
> > +aa_hint_type "APPARMOR_HINT"
> > +aa_status_type "APPARMOR_STATUS"
> > +aa_error_type "APPARMOR_ERROR"
> > +reject_type "\"DENIED\""
> > +audit_type "\"AUDIT\""
> > +complain_type "\"ALLOWED\""
> > +hint_type "\"HINT\""
> > +status_type "\"STATUS\""
> > +error_type "\"ERROR\""
> > +lsm_avc_type "AVC"
> > unknown_type UNKNOWN\[{digits}+\]
> > other_audit_type [[:alnum:]\[\]_-]+
> >
> > @@ -125,6 +133,7 @@
> >
> > /* Key tokens */
> >
> > +key_apparmor "apparmor"
> > key_type "type"
> > key_msg "msg"
> > key_operation "operation"
> > @@ -147,6 +156,7 @@
> > key_error "error"
> > key_fsuid "fsuid"
> > key_ouid "ouid"
> > +key_comm "comm"
> > audit "audit"
> >
> > /* syslog tokens */
> > @@ -240,6 +250,13 @@
> > {hint_type} { BEGIN(INITIAL); return(TOK_TYPE_HINT); }
> > {status_type} { BEGIN(INITIAL); return(TOK_TYPE_STATUS); }
> > {error_type} { BEGIN(INITIAL); return(TOK_TYPE_ERROR); }
> > + {aa_reject_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_REJECT); }
> > + {aa_audit_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_AUDIT); }
> > + {aa_complain_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_COMPLAIN); }
> > + {aa_hint_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_HINT); }
> > + {aa_status_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_STATUS); }
> > + {aa_error_type} { BEGIN(INITIAL); return(TOK_TYPE_AA_ERROR); }
> > + {lsm_avc_type} { BEGIN(INITIAL); return(TOK_TYPE_LSM_AVC); }
> > {unknown_type} { char *yptr = yytext;
> > while (*yptr && *yptr != '[')
> > yptr++;
> > @@ -300,6 +317,7 @@
> > {key_attribute} { BEGIN(sub_id); return(TOK_KEY_ATTRIBUTE); }
> > }
> >
> > +{key_apparmor} { BEGIN(audit_types); return(TOK_KEY_APPARMOR); }
> > {key_type} { BEGIN(audit_types); return(TOK_KEY_TYPE); }
> > {key_msg} { return(TOK_KEY_MSG); }
> > {key_operation} { return(TOK_KEY_OPERATION); }
> > @@ -321,6 +339,7 @@
> > {key_error} { return(TOK_KEY_ERROR); }
> > {key_fsuid} { return(TOK_KEY_FSUID); }
> > {key_ouid} { return(TOK_KEY_OUID); }
> > +{key_comm} { return(TOK_KEY_COMM); }
> >
> > {syslog_kernel} { BEGIN(dmesg_timestamp); return(TOK_SYSLOG_KERNEL); }
> > {syslog_month} { yylval->t_str = strdup(yytext); return(TOK_DATE_MONTH); }
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_01.in'
> > --- libraries/libapparmor/testsuite/test_multi/avc_audit_01.in 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_audit_01.in 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,1 @@
> > +type=AVC msg=audit(1279948288.415:39): apparmor="DENIED" operation="open" parent=12332 profile="/usr/sbin/cupsd" name="/home/user/.ssh/" pid=12333 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=1000
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_01.out'
> > --- libraries/libapparmor/testsuite/test_multi/avc_audit_01.out 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_audit_01.out 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,15 @@
> > +START
> > +File: test_multi/avc_audit_01.in
> > +Event type: AA_RECORD_DENIED
> > +Audit ID: 1279948288.415:39
> > +Operation: open
> > +Mask: r
> > +Denied Mask: r
> > +fsuid: 0
> > +ouid: 1000
> > +Profile: /usr/sbin/cupsd
> > +Name: /home/user/.ssh/
> > +Parent: 12332
> > +PID: 12333
> > +Epoch: 1279948288
> > +Audit subid: 39
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_02.in'
> > --- libraries/libapparmor/testsuite/test_multi/avc_audit_02.in 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_audit_02.in 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,1 @@
> > +type=AVC msg=audit(1279948227.175:27): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient3" pid=12291 comm="apparmor_parser"
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_02.out'
> > --- libraries/libapparmor/testsuite/test_multi/avc_audit_02.out 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_audit_02.out 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,9 @@
> > +START
> > +File: test_multi/avc_audit_02.in
> > +Event type: AA_RECORD_STATUS
> > +Audit ID: 1279948227.175:27
> > +Operation: profile_replace
> > +Name: /sbin/dhclient3
> > +PID: 12291
> > +Epoch: 1279948227
> > +Audit subid: 27
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_03.in'
> > --- libraries/libapparmor/testsuite/test_multi/avc_audit_03.in 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_audit_03.in 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,1 @@
> > +type=AVC msg=audit(1279968846.035:77): apparmor="ALLOWED" operation="open" parent=7014 profile="/tmp/cat" name="/etc/passwd" pid=21645 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_audit_03.out'
> > --- libraries/libapparmor/testsuite/test_multi/avc_audit_03.out 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_audit_03.out 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,15 @@
> > +START
> > +File: test_multi/avc_audit_03.in
> > +Event type: AA_RECORD_ALLOWED
> > +Audit ID: 1279968846.035:77
> > +Operation: open
> > +Mask: r
> > +Denied Mask: r
> > +fsuid: 1000
> > +ouid: 0
> > +Profile: /tmp/cat
> > +Name: /etc/passwd
> > +Parent: 7014
> > +PID: 21645
> > +Epoch: 1279968846
> > +Audit subid: 77
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in'
> > --- libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_01.in 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,1 @@
> > +Jul 24 12:25:33 spriggan kernel: [42416.178567] type=1400 audit(1279967133.365:54): apparmor="DENIED" operation="open" parent=19650 profile="/usr/sbin/cupsd" name="/boot/" pid=19651 comm="ls" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out'
> > --- libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_01.out 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,15 @@
> > +START
> > +File: test_multi/avc_syslog_01.in
> > +Event type: AA_RECORD_DENIED
> > +Audit ID: 1279967133.365:54
> > +Operation: open
> > +Mask: r
> > +Denied Mask: r
> > +fsuid: 0
> > +ouid: 0
> > +Profile: /usr/sbin/cupsd
> > +Name: /boot/
> > +Parent: 19650
> > +PID: 19651
> > +Epoch: 1279967133
> > +Audit subid: 54
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in'
> > --- libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_02.in 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,1 @@
> > +Jul 24 12:24:41 spriggan kernel: [42364.269117] type=1400 audit(1279967081.455:42): apparmor="STATUS" operation="profile_replace" name="/sbin/dhclient3" pid=19610 comm="apparmor_parser"
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out'
> > --- libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_02.out 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,9 @@
> > +START
> > +File: test_multi/avc_syslog_02.in
> > +Event type: AA_RECORD_STATUS
> > +Audit ID: 1279967081.455:42
> > +Operation: profile_replace
> > +Name: /sbin/dhclient3
> > +PID: 19610
> > +Epoch: 1279967081
> > +Audit subid: 42
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in'
> > --- libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_03.in 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,1 @@
> > +Jul 24 12:54:06 spriggan kernel: [44128.842691] type=1400 audit(1279968846.035:77): apparmor="ALLOWED" operation="open" parent=7014 profile="/tmp/cat" name="/etc/passwd" pid=21645 comm="cat" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
> >
> > === added file 'libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out'
> > --- libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out 1970-01-01 00:00:00 +0000
> > +++ libraries/libapparmor/testsuite/test_multi/avc_syslog_03.out 2010-07-26 16:16:23 +0000
> > @@ -0,0 +1,15 @@
> > +START
> > +File: test_multi/avc_syslog_03.in
> > +Event type: AA_RECORD_ALLOWED
> > +Audit ID: 1279968846.035:77
> > +Operation: open
> > +Mask: r
> > +Denied Mask: r
> > +fsuid: 1000
> > +ouid: 0
> > +Profile: /tmp/cat
> > +Name: /etc/passwd
> > +Parent: 7014
> > +PID: 21645
> > +Epoch: 1279968846
> > +Audit subid: 77
> >
> > === modified file 'utils/SubDomain.pm'
> > --- utils/SubDomain.pm 2010-03-26 13:51:21 +0000
> > +++ utils/SubDomain.pm 2010-07-26 16:16:23 +0000
> > @@ -2,6 +2,7 @@
> > #
> > # ----------------------------------------------------------------------
> > # Copyright (c) 2006 Novell, Inc. All Rights Reserved.
> > +# Copyright (c) 2010 Canonical, Ltd.
> > #
> > # This program is free software; you can redistribute it and/or
> > # modify it under the terms of version 2 of the GNU General Public
> > @@ -2413,10 +2414,13 @@
> > our $seenmark;
> > my $RE_LOG_v2_0_syslog = qr/SubDomain/;
> > my $RE_LOG_v2_1_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?(audit\([\d\.\:]+\):\s+)?type=150[1-6]/;
> > +my $RE_LOG_v2_6_syslog = qr/kernel:\s+(\[[\d\.\s]+\]\s+)?type=\d+\s+audit\([\d\.\:]+\):\s+apparmor=/;
> > my $RE_LOG_v2_0_audit =
> > qr/type=(APPARMOR|UNKNOWN\[1500\]) msg=audit\([\d\.\:]+\):/;
> > my $RE_LOG_v2_1_audit =
> > qr/type=(UNKNOWN\[150[1-6]\]|APPARMOR_(AUDIT|ALLOWED|DENIED|HINT|STATUS|ERROR))/;
> > +my $RE_LOG_v2_6_audit =
> > + qr/type=AVC\s+audit\([\d\.\:]+\):\s+apparmor=/;
> >
> > sub prefetch_next_log_entry {
> > # if we already have an existing cache entry, something's broken
> > @@ -2434,6 +2438,8 @@
> > $RE_LOG_v2_0_audit |
> > $RE_LOG_v2_1_audit |
> > $RE_LOG_v2_1_syslog |
> > + $RE_LOG_v2_6_syslog |
> > + $RE_LOG_v2_6_audit |
> > $logmark
> > }x);
> > }
> >
>
>
> --
> Steve Beattie
> <sbeattie at ubuntu.com>
> http://NxNW.org/~steve/
> --
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
--
Kees Cook @outflux.net
More information about the AppArmor
mailing list